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(54) Method and apparatus for securely authorizing performance of a function in a distributed 
system such as a postage meter 



(57) A method for authorizing performance of a 
function in a distributed system (1) having first (3) and 
second (5) subsystems in communication with each 
other includes the steps of separately generating a 
mutual session key within the first and second subsys- 
tems; utilizing the mutual session key generated in each 

FIG.l 



of the first and second subsystems (3, 5) for authenti- 
cating the first subsystem; and authorizing performance 
of the function only upon completion of the authenticat- 
ing of step B). An apparatus performs the inventive 
method. 
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Description 

This invention relates to a method and apparatus 
for securely authorizing performance of a function in a 
distributed system, and more particularly to a method s 
and apparatus for securely authorizing the printing of a 
postage indicia by a postage meter. 

Traditional postage meters imprint an indicia on a 
mailpiece as evidence that postage has been paid. 
These traditional postage meters create the indicia 10 
using a platen or a rotary drum which are moved into 
contact with the mailpiece to imprint the indicia thereon. 
While traditional postage meters have performed admi- 
rably over time, they are limited by the fact that if the 
indicia image significantly changes, a new platen or is 
rotary drum will have to be produced and placed in each 
meter. Accordingly, newer postage meters now take 
advantage of modern digital printing technology to over- 
come the deficiencies of traditional meters. The advan- 
tage of digital printing technology is that since the digital 20 
prirrthead is software driven, all that is required to 
change an indicia image is new software. Thus, the flex- 
ibility in changing indicia images or adding customized 
ad slogans is significantly increased. 

Modern digital printing technology includes thermal 25 
ink jet (bubble jet), piezoelectric ink jet, thermal printing 
techniques, and LED and Laser Xerographic printing 
which all operate to produce images by dot-matrix print- 
ing. In dot-matrix ink jet printing individual print ele- 
ments in the prirrthead (such as resistors or 30 
piezoelectric elements) are either electronically stimu- 
lated or not stimulated to expel or not expel, respec- 
tively, drops of ink from a reservoir onto a substrate. 
Thus, by controlling the timing of the energizing of each 
of the individual print elements in conjunction with the 35 
relative movement between the prirrthead and the mail- 
piece, a dot-matrix pattern is produced in the visual 
form of the desired indicia. 

While digital printing technology provides the 
advantages discussed above, it also permits the size 40 
and weight of the meter to be dramatically reduced 
since the digital prirrthead is very small in size. Moreo- 
ver, from an electronics architecture viewpoint the entire 
meter is now a distributed system having its various 
functions divided between numerous subsystems such 45 
as a vault subsystem and a printer subsystem. Each of 
the subsystems can communicate with each other but 
can also have independent processing capabilities per- 
mitting parallel processing of information and increased 
efficiency in operation. However, the downside of the so 
above described distributed system is that when data is 
transferred over physically unsecured data lines, it is 
susceptible to interception and analysis utilizing, for 
example, a logic analyzer. If such interception and anal- 
ysis occurs, the data signals may be capable of being ss 
reproduced. In the case of a postage meter, a vault typ- 
ically accounts for the postage transaction prior to initi- 
ating printing of em indicia by the printer. Thus, if the 
vault print command signal can be reproduced, it may 



be possible to generate an indicia without having the 
associated accounting therefor taking place which 
would result in reduced revalues for the postal author- 
ity. 

It is an object of the invention to provide a method 
and apparatus for securely authorizing the performance 
of a function by a distributed system. 

A method for authorizing performance of a function 
in a distributed system having first and second subsys- 
tems in communication with each other includes the 
steps of: 

A) separately generating a mutual session key 
within the first and second subsystems; 

B) utilizing the mutual session key generated in 
each of the first and second subsystems tor authen- 
ticating the first subsystem; and 

C) authorizing performance of the function only 
upon completion of the authenticating of step B). 

An apparatus for performing the above-mentioned 
authorization includes: 

a first subsystem having means for establishing a 
mutual session key; and 

a second subsystem having means for establishing 
the mutual session key separately from the first 
subsystem; 

wherein the first and second subsystems 
communicate with each other and utilize the mutual 
session key established in each of the first and sec- 
ond subsytems to mutually authenticate each other 
and to only permit performance of the function upon 
completion of the mutual authentication. 

The accompanying drawings, which are incorpo- 
rated in and constitute a part of the specification, illus- 
trate a presently preferred embodiment of the invention, 
and together with the general description given above 
and the detailed description of the preferred embodi- 
ment given below, serve to explain the principles of the 
invention. 

Figure 1 is a schematic diagram of a postage meter 
incorporating an embodiment of the claimed inven- 
tion; 

Figure 2 shows an indicia produced by an embodi- 
ment of the inventive apparatus; and 
Figure 3 is a flow chart of an embodiment of the 
inventive mutual authentication method. 

Figure 1 shows a schematic representation of a 
postage meter 1 implementing the inventive process. 
Postage meter 1 includes a base 3 and a printhead 
module 5. Base 3 includes a first functional subsystem 
referred to as a vault microprocessor 7 and a second 
functional subsystem referred to as a base microproc- 
essor 9. Vault microprocessor 7 has software and asso- 
ciated memory to perform the accounting functions of 
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postage meter 1. That is, vault microprocessor 7 has 
the capability to have downloaded therein in a conven- 
tional manner a predetermined amount of postage 
funds. During each postage transaction, vault micro- 
processor 7 checks to see if sufficient funds are avaita- 5 
ble. If sufficient funds are available, vault micro- 
processor 7 debits the amount from a descending regis- 
ter, adds the amount to an ascending register, and 
sends the postage amount to the printhead module 5 
via the base microprocessor 9. Base microprocessor 9 10 
also sends the date of submission data to the printhead 
module 5, via line 6, so that a complete indicia image 
can be printed. 

Vault microprocessor 7 thus manages the postage 
funds with the ascending register representing the life- 15 
time amount of postage funds spent, the descending 
register representing the amount of funds currently 
available, and a control sum register showing the run- 
ning total amount of funds which have been credited to 
the vault microprocessor 7. Additional features of vault 20 
microprocessor 7 which can be included are a piece 
counter register, encryption algorithms for generating 
vendor and postal tokens, and software for requiring a 
user to input a personal identification number which 
must be verified by the vault microprocessor 7 prior to 25 
its authorizing any vault transaction. Alternatively, the 
verification of the personal identification number could 
be accomplished by either the base microprocessor 9 or 
the print module microprocessor 41 (discussed below). 

Base microprocessor 9 acts as a traffic cop in coor- 30 
dinating and assisting in the transfer of information 
along data line 10 between the vault microprocessor 7 
and the printhead module 5, as well as coordinating var- 
ious support functions necessary to corrplete the 
metering function. Base microprocessor 9 interacts with 35 
keyboard 11 to transfer user information input through 
keyboard keys 11a (such as, postage amount, date of 
submission) to the vault microprocessor 7. Additionally, 
base microprocessor 9 sends data to a liquid crystal 
display 13 via a driver/controller 15 for the purpose of 40 
displaying user inputs or for prompting the user for addi- 
tional inputs. Moreover, base microprocessor 9 provides 
power and a reset signal to vault microprocessor 7 via 
respective lines 17, 19. A clock 20 provides date and 
time information to base microprocessor 9. Alterna- 45 
tively, clock 20 can be eliminated and the clock function 
can be accomplished by the base microprocessor 9. 
Base microprocessor 9 also provides a clock signal to 
vault microprocessor 7. 

Postage meter 1 also includes a conventional so 
power supply 21 which conditions raw A.C. voltages 
from a wall mounted transformer 23 to provide the 
required regulated and unregulated D.C. voltages for 
the postage meter 1. Voltages are output via lines 25, 
27, and 29 to a printhead motor 31 , printhead 33 and all 55 
logic circuits. Motor 31 is used to control the movement 
of the printhead 33 relative to the mailpiece upon which 
an indicia image is to be printed. Base microprocessor 
9 controls the supply of power to motor 31 to ensure the 



proper starting and stopping of printhead 33 movement 
after vault microprocessor 7 authorizes a postage trans- 
action. 

Base 3 also includes a motion encoder 35 that 
senses the movement of the printhead motor 31 so that 
the exact position of printhead 33 can be determined. 
Signals from motion encoder 35 are sent to printhead 
module 5 to coordinate the energizing of individual 
printhead elements 33a in printhead 33 with the posi- 
tioning of printhead 33. Alternatively, motion encoder 35 
can be eliminated and the pulses applied to stepper 
motor 31 can be counted to determine the location of 
printhead 33 and to coordinate energizing of printhead 
elements 33a. While only one motor 31 is shown, there 
can be other motors controlled by base microprocessor 
9 such as a motor for moving printhead 33 in a second 
direction and a motor for moving a mailpiece clamping 
mechanism (not shown). 

Printhead module 5 includes printhead 33, a print- 
head driver 37, a drawing engine 39 (which can be a 
microprocessor or an Application Specific Integrated 
Circuit (ASIC)), a microprocessor 41 and a non-volatile 
memory 43. NVM 43 has stored therein indicia image 
data which can be printed on a mailpiece. Microproces- 
sor 41 receives a print command, the postage amount, 
and date of submission via the base microprocessor 9. 
The postage amount and date of submission are sent 
from microprocessor 41 to the drawing engine 39 which 
then accesses non-volatile memory 43 to obtain the 
required indicia image data therefrom which is stored in 
registers 44 to 44n. The stored image is then down- 
loaded on a cdumn-by column basis by the drawing 
engine 39 to the printhead driver 37, via column buffers 
45, 47 in order to energize individual printhead ele- 
ments 33a to print the indicia image on the mailpiece. 
The individual column-by-column generation of the indi- 
cia image is synchronized with movement of printhead 
33 until the full indicia is produced. Specific details of 
the generation of the indicia image is set forth in 
copending European application 961 1 7777.1 (US Appli- 
cation serial number 08/554,179 filed November 6, 
1995), which is incorporated herein by reference. 

Figure 2 shows an enlarged representative exam- 
ple of a typical postage indicia which can be printed by 
postage meter 1 for use in the United States. The post- 
age indicia 51 includes a graphical image 53 including 
the 3 stars in the upper left hand corner, the verbiage 
"UNITED STATES POSTAGE*, and the eagle image; an 
indicia identification number 55; a date of submission 
57; the originating zip code 59; the words "mailed from 
zip code" 61, which for the ease of simplicity is just 
being shown with the words "SPECIMEN SPECIMEN"; 
the postage amount 63; a piece count 65; a check digits 
number 67; a vendor I.D. number 69; a vendor token 71 ; 
a postal token 73; and a multipass check digit 75. While 
most of the portions of the indicia image 51 are self 
explanatory, a few require a brief explanation. The ven- 
dor I.D. number identifies who the manufacturer of the 
meter is, and the vendor token and postal token num- 
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bers are encrypted numbers which can be used by the 
manufacturer and post office, respectively, to verify if a 
valid indicia has been produced. 

The Figure 2 indicia is simply a representative 
example and the information contained therein will vary s 
from country to country. In the context of this application 
the terms indicia and indicia image are being used to 
include any specific requirements of any country. 

A benefit of the above-described distributed post- 
age meter system is that because of the divided func- 10 
tionality, less expensive microprocessors can be utilized 
resulting in a lower cost postage meter. Moreover, the 
modularity of the system allows for easy replacement of 
the vault and printing modules in the event of failure of 
either of these modules. However, as previously dis- is 
cussed, the use of a distributed digital system where 
data is transferred over physically unsecured data lines 
(for example, data lines 10, 6) results in the system 
being susceptible to having its data intercepted and 
reproduced, rf such interception and reproduction is 20 
accomplished, it is possible that printing module 5 could 
be driven to print an indicia image without the neces- 
sary accounting taking place. 

In order to overcome the security problem dis- 
cussed above, a secure electronic link is provided 25 
between vault microprocessor 7 and print module 
microprocessor 41 . The secure electronic link is accom- 
plished through an encryption process which provides 
for a mutual authentication between the printhead mod- 
ule 5 and the vault microprocessor 7 prior to authorizing 30 
printing of the indicia image, debiting of postage, and 
updates to certain vault data such as PIN location and 
account numbers The inventive encryption process sig- 
nificantly decreases the possibility of data interception 
and reproduction. Moreover, in the preferred embodi- 35 
ment base microprocessor 9 acts as a non-secure com- 
munication channel between the vault microprocessor 7 
and print module microprocessor 41. However, the 
secure linked discussed above and described in more 
detail below can be applied between any subsystems of 40 
postage meter 1. 

The inventive method is described in Figure 3. In 
step S1 an operator enters a desired postage amount 
for a postage transaction via the keyboard 1 1 . Upon 
insertion of the mailpiece into the postage meter 1 and 45 
its clamping in place by a platen (not shown), base 
microprocessor 9 sends a signal to vault microproces- 
sor 7 and print module microprocessor 41 requesting 
that a session key (SK) be established as shown in step 
S2. In order to establish the session key, vault micro- so 
processor 7 and printhead module microprocessor 41 
each have an identical set of u M n authentication keys 
(AK) stored in memory, with each authentication key 
having a particular index (1 to M) associated therewith. 
In addition, print module microprocessor 41 also has a ss 
set of numbers "0 to N" stored therein which are used to 
select a particular one of the authentication keys. That 
is, print module microprocessor 41 is programmed for 
each postage transaction to select one of the set of 



numbers "0 to N n either on a sequential or random basis 
(step S3). Assuming for example that the number "N° is 
selected, print module microprocessor 41 determines 
the particular authentication key index AKI (step S4) uti- 
lizing a conventional translation function that creates an 
index within the range 1 to M. Since the authentication 
keys AK1 to AKM are stored in a look-up table in the 
vault microprocessor 7 and print module microproces- 
sor 41 , the index AKI can be associated with a particular 
key such as for example. AK1 (step S5). It is important 
to note that the set of numbers 0 to N can be much 
larger than the number of keys 1 to M. Therefore, the 
combination of a large set of numbers 0 to N combined 
with the random selection of one of these numbers to 
create the index AKI results in a very secure process. 

After print module microprocessor 41 selects one of 
the numbers 0 to N, that number is sent to vault micro- 
processor 7 together with a first piece of data VD1 that 
varies with each postage transaction and is stored in 
register counter 77 in print module microprocessor 41 
(step S6). Upon receipt, the vault microprocessor 7, 
which has stored therein an identical authentication key 
look-up table and the AKI translation function used by 
the print module microprocessor 41, independently 
uses the selected number 0 to N to generate AKI and 
identify the same authentication key AK (step S7) being 
utilized by the print module microprocessor 41. The 
vault microprocessor 7 also has a register 79 whose 
contents VD2 are variable for each postage transaction 
and are used together with the authentication key AK to 
create the session key SK (step S8). That is, a conven- 
tional encryption algorithm is applied to VD2 and the 
authentication key to produce the session key: 
SK = ENCRYPT(VD2, AK). 

Once vault microprocessor 7 determines the ses- 
sion key it generates a first authentication certificate 
(AUC1) (step S9) as follows: 

AUC1 = ENCRYPT(VD1, SK) 
Subsequent to generation of the first authentication cer- 
tificate, vault microprocessor 7 sends all or part of the 
first authentication certificate and VD2 to the print mod- 
ule microprocessor 41 (step S10). That is, if AUCI is, for 
example, eight bytes of data, it can be sent in total or a 
truncation algorithm can be applied to it to only send a 
predetermined number of bytes of AUC1. The print 
module microprocessor 41 , upon receipt of AUC1 , inde- 
pendently determines SK (step S1 1) in the same man- 
ner as vault microprocessor 7 since print module 
microprocessor 41 has stored therein the DES algo- 
rithm, has itself generated AK, and has received VD2 
from vault microprocessor 7. 

Subsequent to its generation of SK, print module 
microprocessor 41 generates a second authentication 
certificate: 

AUC2 = ENCRYPT(VD1, SK) 
which should be the same as AUC1 (step S12). In the 
event that print module microprocessor compares 
AUC1 to AUC2 (step S13) and they are not the same, 
the print module microprocessor 41 will initiate cancel- 



4 



7 



EP0 782 111 A2 



8 



lation of the postage transaction (step S14). On the 
other hand, rf AUC1 and AUC2 are the same, print mod- 
ule microprocessor 41 has authenticated that vault 
microprocessor 7 is a valid vault. It is to be noted that if 
a truncated portion of AUC1 is sent from vault micro- 
processor 7 to print module microprocessor 41, then 
print module microprocessor 41 must apply the same 
truncation algorithm to AUC2 prior to the comparison 
step. 

Subsequent to vault microprocessor 7 authentica- 
tion, print module microprocessor 41 generates a first 
ciphered data certificate "CD1 B where: 

CD1 = ENCRYPT(VD3, SK) 
and VD3 represents a variable piece of data within the 
meter 1 such as piece count or date of submission, 
which data is made available to both the vault micro- 
processor 7 and print module microprocessor 41 (step 
S15). Upon generation of CD1, it is sent in whole or in 
part (as discussed in connection with AUC1 , AUC2) to 
vault microprocessor 7 (step S16). Vault microproces- 
sor 7 then generates its own ciphered certificate of data 
"CD2* by applying the encryption algorithm to VD3 and 
the session key SK generated by vault microprocessor 
7 (step S17). Vault microprocessor 7 then compares 
CD1 to CD2 (step S18) and if they do not match, vault 
microprocessor 7 initiates cancellation of the postage 
transaction (step S19). In the event that CD1 and CD2 
are the same, the vault microprocessor 7 has authenti- 
cated print module microprocessor 41 and mutual 
authentication between vault microprocessor 7 and 
print module microprocessor 41 has been completed. 
Subsequently, vault microprocessor 7 is prepared to 
debit the required postage amount in the accounting 
module. Upon completion of the debit, a print command 
is sent to the printhead module 5 to initiate printing of 
the indicia image (step S20). 

The above process provides an extremely secure 
electronic link between subsystems because all data 
which is transmitted between the subsytems is variable 
for each postage transaction. While this does not nec- 
essarily have to be the case, it provides increased secu- 
rity by reducing the predictability of the data being 
transferred. The use of the variable data (VD1, VD2, 
VD3) ensures the uniqueness of the ciphered values 
(SK, AUC1, AUC2, CD1, CD2) for each postage trans- 
action. Moreover, the session key, which is required to 
initiate the whole mutual authentication procedure and 
to generate AUC1 . AUC2, CD1 and CD2, is never trans- 
mitted between the individual subsystems thereby guar- 
anteeing the secure knowledge of the session key 
among the subsystems. Finally, if a truncation algorithm 
is used in connection with any or all of the generated 
certificates, security is further enhanced since the trun- 
cation algorithm must be known in order to complete the 
postage transaction. 

Claims 

1 . A method for authorizing performance of a function 



in a distributed system (1) having first and second 
subsystems (3. 5) in communication with each 
other, the method comprising the steps of: 

5 A) separately generating a mutual session key 

within the first and second subsystems; 
B) utilizing the mutual session key generated in 
each of the first and second subsystems for 
authenticating the first subsystem; 

10 C) authorizing performance of the function only 

upon completion of the authenticating of step 
B). 

2. A method as recited in daim 1 , further comprising 
is utilizing the mutual session key generated in each 

of the first and second subsystems for authenticat- 
ing the second subsystem and authorize perform- 
ance of the function only upon completion of the 
authenticating of the first and second subsystems 

20 

3. A method as recited in claim 1 or 2, further compris- 
ing authenticating the first and second subsystems 
without transmitting the mutual session key 
between the first and second subsystems. 

25 

4. A method as recited in any one of the preceding 
claims, wherein during step C) printing by the dis- 
tributed system is authorized. 

30 5. A method as recited in any one of the preceding 
claims, further comprising separately selecting a 
common one of a plurality of authentication keys 
within the first and second subsytems and respec- 
tively using the common one of the plurality of 

35 authentication keys selected within each of the first 
and second subsystems to generate the mutual 
session key within the first and second subsystems. 

6. A method as recited in daim 5, wherein generating 
40 of the mutual session key within the first and sec- 
ond subsystems is accomplished without transmit- 
ting the common one of the plurality of 
authentication keys between the first and second 
subsystems. 

45 

7. A method as recited in daim 5. wherein the mutual 
session key is generated in the first and second 
subsystems by applying an encryption algorithm to 
the common one of the plurality of authentication 

so keys and to a first data element that varies with the 
performance of each printing. 

8. A method as recited in claim 5, wherein the first and 
second subsystems respectively generate first and 

55 second authentication certificates which are each 
at least partially based upon the mutual session key 
and printing is authorized when the first and second 
authentication certificates are compared and deter- 
mined to have a preexisting relationship to each 
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I. A method as recited in claim 8. wherein the first and 
second authentication certificates are generated by 
applying an encryption algorithm to the mutual ses- s 
sion key and a second data element which varies 
with the performance of each printing. 

0. An apparatus for performing a function comprising: 

10 

a first subsystem (3) having means (7) for 
establishing a mutual session key; and 

a second subsystem (5) having means (41) for 
establishing the mutual session key separately 75 
from the first subsystem; 

wherein the first and second subsys- 
tems (3, 5) communicate with each other and 
utilize the mutual session key established in 
each of the first and second subsytems to 20 
mutually authenticate each other 
and to only permit performance of the function 
upon completion of the mutual authentication. 

1. An apparatus as set forth in claim 10, wherein the 25 
apparatus is a postage meter (1) and the first and 
second subsystems are respectively a vault (3) and 

a printer (5) and the function is printing of an indicia 
which is performed by the printer. 
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